CVE-2025-2034
Published: 06 March 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2025-2034 is a critical SQL injection vulnerability affecting PHPGurukul Pre-School Enrollment System 1.0. The flaw resides in an unknown functionality of the file /admin/edit-class.php?cid=1, where manipulation of the arguments classname, capacity, or classtiming triggers the injection. Published on 2025-03-06, it carries CWEs 74 and 89.
The vulnerability enables remote exploitation over the network by unauthenticated attackers with low attack complexity and no user interaction required. Per the CVSS 3.1 score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), successful attacks can result in limited impacts to confidentiality, integrity, and availability.
Advisories and details are documented on VulDB (ctiid.298777, id.298777, submit.512292), a GitHub issue at wangCCTV/cve/issues/2, and the vendor site phpgurukul.com.
The exploit has been disclosed publicly and may be used in attacks.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection in unauthenticated public-facing web app (/admin/edit-class.php) enables exploitation of public-facing applications (T1190), abuse of server software components such as databases (T1505), and collection of data from databases via arbitrary queries (T1213.006).